Category: Blog, Business, Legal

What is Google Play’s new ‘Data safety’ and How it May Affect Your Mobile App?

Starting late April 2022, a new section regarding data privacy, introduced by Google initially last year, will be shown on the app’s site in Google Play. From this point on, users will be able to view information submitted by developers on how data is used before they decide to download the app.

By 20 July 2022, this section will be mandatory for all developers and all apps will have to contain a Privacy Policy within the app, and have it posted in the Google Play Console.

Increasing information requirements for software providers is a part of the global data privacy trend that can be observed since GDPR (2018), followed by CCPA (2020) and the introduction of other cross-border laws. At the same time, the awareness of consumers and their concerns over how their data is collected, used or shared is becoming more and more significant, which, given that a lot of regions in the world are still struggling to provide citizens with consistent and efficient privacy laws, puts pressure on private corporations to dictate new universal privacy practices.

This unclear situation may be seen as an obstacle, especially for business owners who, at the end of the day, have to comply with all these requirements, taking into account users’ safety, their products’ goals and multiple business-related factors.

In this article, we:

  • provide a better understanding with tips on how to include the correct information in Google’s new ‘Data safety’ section
  • compare selected GDPR and CCPA requirements with the content of the ‘Data Safety’ section
  • describe how the user-centric approach to privacy may be a solution to unstable privacy sector regulations.

 

‘Data Safety’ in Google Play Console – how to provide correct information?

Submitting the ‘Data Safety’ section requires general insights and knowledge on what data is used by the app, how it is used and for what purposes.

Types of data

In the form, you can choose from different categories and types of data. In the table below, you will find the most significant (from a legal perspective) data which required by Google to be disclosed in the form with a comment related to its processing requirements under GDPR.

Location Approximate location, precise location Location can be processed under the legal basis of user’s consent (Article 6.1 (a) GDPR). The consent should be actively given by the user (for instance, by selecting a checkbox). Please remember that the user should be able to easily remove their consent at any time.
Personal info

 

Name, e-mail address, user ID, address, phone number, date of birth Depending on the purpose of your app, this information may be processed on various legal bases (in most cases, Article 6.1 (b) or 6.1. (f) GDPR). In all cases, data collection under GDPR should follow the principle of data minimization, meaning that the app should collect only the exact amount of data necessary to provide its functionalities. Also, in its User Data policy, Google puts an emphasis on this issue (“Only request access to the minimal, technically feasible scope of access that is necessary to implement existing features or services in your application, and limit access to the minimum amount of data needed”).

In addition, this type of data is considered common and doesn’t require extraordinary legal attention apart from fulfilling standard GDPR requirements.

Race and ethnicity, political or religious beliefs, sexual orientation, gender identity, veteran status;

also: health info, genetic data, biometrical data, and trade union membership

This kind of data is considered sensitive under GDPR and is under special technical and organizational protection. GDPR doesn’t allow the processing of this data at all, except for a few situations, from which only one may apply to the private sector (explicit user consent, Article 9.2 (a) GDPR); however, the collection of such data should always be very precisely justified.
Financial info User payment info, purchase history, credit score, salary, debts, etc. This information is usually processed under Article 6.1 (b) GDPR as necessary for providing services in the app; however, any data breach that may occur in relation to this type of data may lead to irreparable damage in the user’s safety, which can be a basis for competent authorities to initiate proceedings under GDPR.
Contacts User’s contact names, message history, call history, contact frequency, interaction duration If the app’s functionalities require access to user’s contact details resulting in the app owners or developers gaining access to the personal data of persons who have not consent to such processing, it leads to a situation which is  highly undesirable under GDPR. Establishing a legal basis for such processing requires details of a specific case in a given app; nevertheless, the owner or developer of the app has 30 days to inform these persons about its identity and details of their access.

 

Please also note that, even in cases where the app doesn’t collect a certain type of data directly, if it is reasonably feasible for you to obtain other data from this certain type of data (e.g. a photo allows obtaining information on ethnicity), then you should also disclose such additional types of data in the form.

Purposes

The ‘Data safety’ form will also ask about the purposes of each type of data which was selected previously as data used by the app. In the table below, we look at the purposes indicated by Google in the context of legal requirements.

App functionality Used for features that are available in the app As long as data is collected and used only for these purposes, there are no legal controversies here. Providing the user with previously advertised features, managing the user’s account and supporting security purposes are seen as legal obligations of the app provider and as a legal contract between the app provider and the user.

The app provider, under GDPR and CCPA, is required to provide a privacy note upon the collection of data at the latest point. This can be done, for instance, by posting a privacy policy in the app and Google Play Console.

Account management Used for setting up or management a user’s account with the developer
Fraud prevention, security, and compliance Used for fraud prevention, security, or compliance with laws.
Developer communication Used to contact the user to notify them about news, new features, etc.
Advertising or marketing Used to display or target ads, marketing communications, or measuring ad performance Under privacy laws, processing personal data for marketing purposes generally doesn’t require a user’s consent; however, it always requires the user’s knowledge – please make sure to place relevant information in the privacy policy.

Under GDPR, users have a right to object to the processing of their data for marketing purposes. It is sufficient to inform the user about this right and enable them to exercise it by simply contacting the app provider (data controller). On the other hand, under CCPA, the user has a right to opt-out of the sale of their personal information (“sale” interpreted very broadly, as many types of data sharing between various entities). CCPA requires a specific feature to be implemented to exercise this right (a “Do not sell my personal information” link).

Please note that the consent to receiving marketing information may be required under local state regulations.

Personalization Used to customize your app, such as showing recommended content or suggestions. In general, the personalization of your app is not subject to any laws, unless such personalization may lead to a situation in which a user is provided with options which may influence their legal or life position in a serious way (“profiling” under GDPR). Experts have differing views on whether presenting customized ads to a user should be considered “profiling” under GDPR; however, it is certain that, if the customer is denied a service based on an algorithm-made decision, it is considered “profiling” and it requires the explicit consent of the respective customer. Also, in case, for instance, a user is shown specific personalized ads of loans based on information about their poor financial status, it can be viewed as profiling. At all times, the user should be informed whether profiling in the app applies to them.

 

(Source of categories and descriptions of purposes).

Please make sure that, when your app collects data from users, the users are properly informed about the purposes of processing their data. The majority of data safety regulations around the world forbid (or restrict) using data for a purpose other than the one for which it was collected without obtaining a separate consent from the user.

Types of activities performed in connection with personal information

Google requires the app provider to declare what types of operations are performed in the app on the user’s personal information. Google provides the following types of activities:

  • data collection, referring to data transmitted from the user to the app;
  • data sharing, referring to the transfer of collected data to other entities (e.g. server providers, another app, payment services);
  • handling, referring to the statement of which data types are optional (the user may or may not provide the details and still sign up) or required.

Providing additional information

In the section “About this app”, you can provide users with additional information regarding the processing of their personal data in the app. This includes, for instance:

  • informing users about opt-out features;
  • informing users about encryption;
  • any differences in processing the data in specific app versions.

Does my app have to comply with privacy laws to be positively reviewed by Google?

Google reviews information provided in the ‘Data privacy’ section as part of the app review process. Google verifies this information against:

  • the content of the app for checking the authenticity and correctness of given information;
  • requirements around data transparency and control included in the Google Play Developer program policies.

Therefore, Google does not verify provided data against any specific laws requirements.

If Google’s review shows that the data is either misrepresented or is not compliant with the User Data policy, the developer will be asked to fix the issues. Subsequent negative reviews may result in blocking updates or removing the app from the store.

Tips on providing the most accurate information

  1. Make sure that the app is compliant with the User Data policy and other Google Play Developer program policies.
  2. Make sure that your app contains a privacy policy and that the privacy policy is posted in Google Play Console.
  3. Review the app on your own, specifically paying attention to:
    • Listing all required and optional data types;
    • Allocating data types to purposes for which data types are used in the app;
    • Listing all the processes of data usage in terms of whether data is collected and shared;
    • Checking what data types are processed ephemerally (meaning that the app accesses and uses data while it is only stored in the memory and for no longer than necessary to provide a certain feature or request).
  4. Make sure that your responses reflect the actual behavior and content of the app.

User-centric approach to privacy

A user-centered privacy approach in design and development is a response to fast-changing legal environments in terms of privacy regulations, which are different and specific to a given region. This approach is also an element of GDPR, which puts an emphasis on privacy by design, a principle according to which companies are encouraged to implement measures, at the earliest stages of the design of processing operations, in such a way as to safeguard privacy and data protection principles right from the start. The user-centric approach expands this definition by a guideline to analyze user’s behavioral engagement to ensure the potential privacy risk at the stage of defining user’s journey and highlights the importance of extending the existing UX evaluation techniques to improve the usability of privacy implementations in systems.

This approach:

  • meets most of the requirements of the leading global privacy acts (in Europe and USA) and is actually consistent with the trends observed in the privacy sector;
  • ensures, due to its complexity, that any destabilization caused by implementing a new policy in Google Play or App Store, or new federal laws on privacy, which are commonly based on existing laws, can be prevented.

It is not possible to foresee what specific changes to privacy laws or policies can be introduced in the future; however, building an app along with the guidelines of this approach reduces the likelihood that any new change will require drastic modifications in the features or construction of the app.

In other words, if Google introduces another ‘Data Safety’ section, an app built along privacy by design principles will already have all its purposes and operations on data documented, and will therefore not have to be modified in terms of data collection features to be compliant with new regulations.

Summary

Considering all privacy requirements in app development may pose a challenge. We hope this article will help you understand this new part of the Android app review process.

Droids On Roids always helps Clients release apps, supporting them with their professional knowledge and versatile expertise. If you have any questions, you can contact the author at [email protected].

Disclaimer: Please consider that all the above-mentioned information shall in no way be considered legal advice.